Rep. Mike Rogers, Alejandro Mayorkas of the Department of Homeland Security and DARPA director Arati Prabhakar joined experts Oct. 1 to discuss the next generation of cyber defense. (Meena Ganesan/Washington Post Live)

Arati Prabhakar
Director, Defense Advanced Research Projects Agency

“The moon shot for cybersecurity in my view is to find techniques that scale faster than this explosion in information . . . A combination of fundamental advances has the potential to get us to a place not where we never have a cybersecurity problem, but where it’s manageable and we can get on with our lives.

Cybersecurity: A Special Report

“Our mission today is still about breakthrough technologies for national security. What we’re asking about cybersecurity is, “What are the technology concepts that could fundamentally change the ground rules and give us a way to get out ahead?”

We’re working on ways to build unhackable embedded systems. I hope you will see that rolling out into automobiles in the commercial sector and UAVs [unmanned aerial vehicles] in the national security context. I hope after our Cyber Grand Challenge that you start to see automated cyberdefense systems that become commercial products that people who are worried about their own cybersecurity can purchase and start using.”

"The alarm [over cyber attacks] is not cause for alarm but a call to action," Deputy Secretary Alejandro Mayorkas said at The Post’s Cybersecurity Summit. (Meena Ganesan/Washington Post Live)

Alejandro Mayorkas
Deputy secretary, Department of Homeland Security

“I do not ascribe to a school of pessimism, and by that, I don’t mean to belittle the magnitude of the threat, both in terms of its gravity and its frequency of occurrence. I think everyone understands that cybersecurity is a field of growth. With respect to the security of the government, and with respect to the security of the private sector, I would take the alarm not as necessarily a cause for concern, but rather as a call to action. While attackers are, in fact, becoming more and more sophisticated, our prevention capabilities are growing in sophistication, our detection capabilities are growing in sophistication, our response and remediation capabilities are escalating as well.

“The cyber threat is real and I think it will be a growth industry. We in the government, specifically in the Department of Homeland Security, have a number of tools and resources to deploy to protect a dot-gov environment”

Rep. Mike Rogers (R-Mich.)
Chairman, House Intelligence Committee

“What we have seen in the past is that al-Qaeda, ISIS and other organizations have reached out and tried to find individuals who have the right capabilities to put together a cyberattack capability. We’ve never seen them actually put it together to where they could penetrate or do some cyber-disruption activities. But we know they have the aspiration to do it. I don’t think that we’re using all U.S. cyber capabilities to disrupt their ability to have these recruiting tools that we see are, candidly, very effective.

“Part of the challenge is, the [U.S.] government has about 15 percent of the networks and the private sector holds about 85 percent of the networks. Contrary to popular belief, the NSA is not monitoring those networks. It’s not on those networks. So, the only way that they see anything coming in is from the outside. You don’t want to reach overseas and flick somebody in the forehead if we’re not exactly 100 percent sure that that was the perpetrator of that [cyberattack]. If you start this digital vigilantism about, “Well, I got hacked. I’m going to go do something about it,” you could create a storm here, of which the rest of the network — that 85 percent — is not prepared to handle.”

(Meena Ganesan/Washington Post Live)

John Carlin
Assistant attorney general for national security, Justice Department

“I’d say the top threat are those who would not be deterred. If they had the capability, they would use it. To my mind, that’s the terrorist organizations.

“As a nation, and like many countries in the world, we have put almost everything we value into cyberspace. We put our personal information. We put our financial information. We put the way we operate our critical infrastructure. It’s digitally stored, and most of it is connected to the Internet. The flip side of that means all the same bad guys and all the same activity that we’ve seen for years in the brick-and-mortar world is going after where the money is, where the secrets are and where they can cause damage. As we put more of what we value, we’re seeing the number of criminal groups that are trying to target it increase. We’re seeing nation states develop it as part of their strategies.”

Eric Rosenbach
Assistant secretary of defense for homeland defense and global security, Defense Department

“We’ll work with other nations’ militaries. There’s a lot of demand in the world right now for people trying to figure out how to build their equivalent of a cyber command. And the reason we do that is we want them to do that in a responsible way. There’s some things we’ve learned that we didn’t do as well as we could have. How you balance that with respect for civil liberties within the law . . . executive oversight of military organizations.

“Offensive operations are something that are always an option. But it’s only one of many tools that you have available on the policy spectrum. Before you would ever take offensive action, you would want to work diplomatic channels first.”


Dana Priest, a national security reporter for The Washington Post, interviews, from left, government cyber experts Christopher Painter, John Carlin and Eric Rosenbach as part of The Post’s Cybersecurity Summit. (Kate Patterson/For The Washington Post)

Christopher Painter
Coordinator, cyber issues, State Department

“The consequence of cyber being the new black [in the United States] — where everyone cares about cyber and everyone wants to talk about cyber — is increasingly happening around the world. As you get countries doing national strategies around cyberspace, as you get them paying more attention to this, as you get them reaching out and saying, “How can we build these more cooperative frameworks against these threats?” I think that’s helpful to us all.

“Now people understand it’s a major national security issue. . . an economic security issue, human rights issue and foreign policy issue. Getting other countries to get to that same level is one of the challenges. But more and more countries are.”

Michael McKeown
Supervisory special agent, Cyber Division, FBI headquarters

“A couple of years ago [when a Russian crime ring was targeting banks], we had a threat against the financial sector. We brought in a lot of the largest financial entities and gave them essentially what we would call clearance for a day . . . to share information that would help them in real time. So we’re getting better at getting that information out in a controlled structure to sectors, to partners. The key being real-time information.”

Jane Holl Lute
President and chief executive, Council on CyberSecurity

“We know what to do for basic cyber hygiene. We’re just not doing it. Basic hygiene will prevent 80 to 90 percent of all known attacks today. Do you know what’s connected to your network? Do you know what’s running or trying to run on your network? Do you know who has administrative permissions to change, bypass or override your configurations? And do you have an automated system in place like DHS’s [Department of Homeland Security] continuous diagnostic and mitigation that allows you to be alert to vulnerabilities when they happen and patch them and take appropriate remediative action? Those top five of the 20 critical security controls constitute basic hygiene. We’re broadly not doing it and there’s no excuse now for why we’re not. Let’s use some common-sense things. Do you know who’s getting on your networks at home? Pay attention. Secure it.

“We need to be smarter consumers, smarter citizens, smarter members of society when it comes to being online. But we also have a right to expect that companies and enterprises with whom we share our data are taking the basic measures. What expectation should we give to manufacturers? Why don’t we get systems shipped with the security configuration switched on? Why do we all have to figure this out for ourselves? What will the role of government be as we distribute responsibility?

“Let’s prevent what we can at costs we can afford. That will reduce the noise level in the threat space and allow important, complex companies to focus precious resources on those advance persistent threats. But we’re not even making it hard right now.”


Tiffany Rad (Kate Patterson/For The Washington Post)

Tiffany Rad
Security researcher and lawyer

“There’s always a trade-off between security and convenience. When we have “bring your own device to work,” there are vulnerabilities that can be exploited in someone’s home and then be brought into the corporate network. When it comes to that type of trade-off, what I teach my students is to think like hackers. While that may sound scary to some, we’re graduating students where they’re writing code and they’re considering the security implications of every line of code they write. It’s not just ‘How fast does the algorithm run?” but ‘How secure is the stuff that you’re producing?’

“So when the students graduate and they go out into the workforce and work for all of you in private industry, they are designing things that are more secure. We like to think that this is going to be changing through the graduates that we have in the United States, taking jobs here in the U.S. Maybe they’ll raise their hand in company meetings and say, “Hey, I think there’s a different way that we could do this that would make it better and more secure.”

Protecting the electrical grid

Andy Bochman
Senior cyber and energy security strategist, Idaho National Laboratory

“The [electrical] grid is not all one thing. It’s many different pieces, and it’s designed to be resilient in the face of natural disasters and storm activity that happens all the time to it. It’s not nearly as simple as saying]one very intelligent hacker can come in and start to take control of things. There are a lot of layers of protection, some of them vestigial from the way the grid was designed, even before computers came to the fore.”


Eric Friedberg (Kate Patterson/For The Washington Post)

Eric Friedberg
Stroz Friedberg

“The main challenge for us as critical-incident responders is what corporations need from law enforcement not on day 20, not on day 40 or not on day 60, but what we need on day one or day two. There’s a real strain going on right now in the speed at which private incident responders are able to get that information from the government.

“It’s a cat-and-mouse game where companies are often playing catch-up.”

Ellen Richey
Executive vice president and chief legal officer, Visa, Inc.

“In terms of who pays and what happens when this breach might occur, wherever it might be, the first thing that everybody needs to be clear on: Here in the U.S., it is never the consumer — or only very rarely the consumer — who suffers any financial loss. That’s because here in the U.S., we have a zero-liability policy that I’m sure you’ve heard all about, and your bank will take the charges off if they are unauthorized charges.

“Once [a breach] is identified, this huge machinery goes into place where the payment brands such as ourselves and our competitors get the information about the accounts that might have gone through that environment, and we get that information out to your banks. As consumers, you know that your bank has that information and can either monitor your account with special scoring because they know it’s been exposed and protect you from the fraud, or reissue your account.

“Consumers are protected financially to avoid the hassle. I would suggest one other thing you can do is sign up for real-time alerts from your bank. You can be in control of the use of your card the minute anybody is using it improperly. You’ll see it yourself and you can be the one who notifies the bank, not the other way around.”

Brian Dodge
Retail Industry Leaders Association

“There’s enormous brand risk to the businesses that are hacked and the cost, ultimately, is something that’s shared between all the players. It’s shared between merchants, banks and the institutions across the payments ecosystem, which is why we have argued that the solution to these problems is one where all those players work together.”


Mary Jordan, editor of Washington Post Live, interviews, from left, Jane Holl Lute, Brian Dodge, Erin Jacobs and Ellen Richey at the Post’s Oct. 1 Cybersecurity Summit. (Kate Patterson/For The Washington Post)

Erin Jacobs
Urbane Security

“Be careful what you share on social networks. I have a lot of friends in the security industry who are not on any social networks. But guess what? Their wives, their friends, their family, their kids — they are. And they’re telling everything about them. And also our system in the U.S. doesn’t help because we have so much public domain information. I think we need to do personal risk assessments of our own information and understand what’s important to us and what we’re willing to share and what we’re not.”

Phil Reitinger
VisionSpear

“Over a period of time, somebody devoting enough resources to get into your networks will.

“The defenders are getting better. But attackers are getting better, too. There are more of them, and there’s more information available and valuable online.

“A lot of our technologies don’t scale well. That means that if you can’t solve a problem completely with technology, you’ve got to have the right people.”

Related:

Key to keeping cyberspace safe? International accord.

With mobile devices, many firms are playing Russian roulette with cybersecurity

What top government and business officials are saying about cybersecurity

The ethics of Hacking 101